Hi, Is it possible to use radius WITHOUT MD5 hashing? Instead, I wish to send user and pass as plain text.
Zoran
On Mon, 30 Jan 2006 15:27:11 +0100, Zoran Milic wrote
Hi, Is it possible to use radius WITHOUT MD5 hashing? Instead, I wish to send user and pass as plain text.
You really DON'T want to do that. You only THINK you do. ;)
Seriously, though, why would you want to try and bypass your own best hope of password security?
N.
I have a custom made RADIUS server, which doesn't use md5, and I'm not keen on writing md5 hashig funcions. Beside, my RADIUS server is in the same room as the SER server so I am not afraid of sniffing or something. Has anybody tried it with out MD5? (that is, if there is a way to do so.)
Zoran
On Monday 30 January 2006 15:30, sip wrote:
On Mon, 30 Jan 2006 15:27:11 +0100, Zoran Milic wrote
Hi, Is it possible to use radius WITHOUT MD5 hashing? Instead, I wish to send user and pass as plain text.
You really DON'T want to do that. You only THINK you do. ;)
Seriously, though, why would you want to try and bypass your own best hope of password security?
N.
I think the limitation may be on the client side for that. Usually, username/password authentication is done using a www_challenge response (which uses md5 hashes to send data so it's not wholly insecure). Since this is being done, all your Radius server will get is likely to be md5'd passwords.
I'm not sure it could be done without rewriting SOMEthing. At the very least, you'd have to rewrite the auth_radius module to handle something other than a digest response.
N.
On Mon, 30 Jan 2006 16:05:20 +0100, Zoran Milic wrote
I have a custom made RADIUS server, which doesn't use md5, and I'm not keen on writing md5 hashig funcions. Beside, my RADIUS server is in the same room as the SER server so I am not afraid of sniffing or something. Has anybody tried it with out MD5? (that is, if there is a way to do so.)
ZoranOn Monday 30 January 2006 15:30, sip wrote:
On Mon, 30 Jan 2006 15:27:11 +0100, Zoran Milic wrote
Hi, Is it possible to use radius WITHOUT MD5 hashing? Instead, I wish to send user and pass as plain text.
You really DON'T want to do that. You only THINK you do. ;)
Seriously, though, why would you want to try and bypass your own best hope of password security?
N.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Thanks, I believe u are right.
Zoran
On Monday 30 January 2006 16:20, sip wrote:
I think the limitation may be on the client side for that. Usually, username/password authentication is done using a www_challenge response (which uses md5 hashes to send data so it's not wholly insecure). Since this is being done, all your Radius server will get is likely to be md5'd passwords.
I'm not sure it could be done without rewriting SOMEthing. At the very least, you'd have to rewrite the auth_radius module to handle something other than a digest response.
N.
On Mon, 30 Jan 2006 16:05:20 +0100, Zoran Milic wrote
I have a custom made RADIUS server, which doesn't use md5, and I'm not keen on writing md5 hashig funcions. Beside, my RADIUS server is in the same room as the SER server so I am not afraid of sniffing or something. Has anybody tried it with out MD5? (that is, if there is a way to do so.)
ZoranOn Monday 30 January 2006 15:30, sip wrote:
On Mon, 30 Jan 2006 15:27:11 +0100, Zoran Milic wrote
Hi, Is it possible to use radius WITHOUT MD5 hashing? Instead, I wish to send user and pass as plain text.
You really DON'T want to do that. You only THINK you do. ;)
Seriously, though, why would you want to try and bypass your own best hope of password security?
N.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
sip -
Zoran Milic